[PATCH v2] drm/tegra: Check size of a submitted command buffer

Sun May 14 16:08:27 UTC 2017

On 14.05.2017 15:56, Mikko Perttunen wrote:
> 
> 
> On 05/14/2017 03:45 PM, Dmitry Osipenko wrote:
>> On 14.05.2017 15:27, Mikko Perttunen wrote:
>>> On 05/12/2017 10:29 PM, Dmitry Osipenko wrote:
>>>> If command buffer claims a number of words that is higher than its BO can
>>>> fit and a relocation lays past the BO, a kernel OOPS will be fired on that
>>>> relocation address patching. This was triggered by an opentegra Xorg driver
>>>> that erroneously pushed too many commands to the pushbuf.
>>>>
>>>> [   46.829393] Unable to handle kernel paging request at virtual address
>>>> f09b2000
>>>> ...
>>>> [<c04a3ba4>] (host1x_job_pin) from [<c04dfcd0>] (tegra_drm_submit+0x474/0x510)
>>>> [<c04dfcd0>] (tegra_drm_submit) from [<c04deea0>] (tegra_submit+0x50/0x6c)
>>>> [<c04deea0>] (tegra_submit) from [<c04c07c0>] (drm_ioctl+0x1e4/0x3ec)
>>>> [<c04c07c0>] (drm_ioctl) from [<c02541a0>] (do_vfs_ioctl+0x9c/0x8e4)
>>>> [<c02541a0>] (do_vfs_ioctl) from [<c0254a1c>] (SyS_ioctl+0x34/0x5c)
>>>> [<c0254a1c>] (SyS_ioctl) from [<c0107640>] (ret_fast_syscall+0x0/0x3c)
>>>>
>>>> Signed-off-by: Dmitry Osipenko <digetx at gmail.com>
>>>> ---
>>>>
>>>> v2: Take into account the cmdbuf.offset
>>>>
>>>>  drivers/gpu/drm/tegra/drm.c | 18 ++++++++++++++----
>>>>  1 file changed, 14 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/drivers/gpu/drm/tegra/drm.c b/drivers/gpu/drm/tegra/drm.c
>>>> index 732c8d98044f..9ad4ac7c08d1 100644
>>>> --- a/drivers/gpu/drm/tegra/drm.c
>>>> +++ b/drivers/gpu/drm/tegra/drm.c
>>>> @@ -361,20 +361,30 @@ int tegra_drm_submit(struct tegra_drm_context *context,
>>>>
>>>>      while (num_cmdbufs) {
>>>>          struct drm_tegra_cmdbuf cmdbuf;
>>>> -        struct host1x_bo *bo;
>>>> +        struct drm_gem_object *gem;
>>>> +        struct tegra_bo *bo;
>>>>
>>>>          if (copy_from_user(&cmdbuf, cmdbufs, sizeof(cmdbuf))) {
>>>>              err = -EFAULT;
>>>>              goto fail;
>>>>          }
>>>>
>>>> -        bo = host1x_bo_lookup(file, cmdbuf.handle);
>>>> -        if (!bo) {
>>>> +        gem = drm_gem_object_lookup(file, cmdbuf.handle);
>>>> +        if (!gem) {
>>>>              err = -ENOENT;
>>>>              goto fail;
>>>>          }
>>>>
>>>> -        host1x_job_add_gather(job, bo, cmdbuf.words, cmdbuf.offset);
>>>> +        drm_gem_object_unreference_unlocked(gem);
>>>> +
>>>> +        if (cmdbuf.offset + cmdbuf.words * 4 > gem->size) {
>>>> +            err = -EINVAL;
>>>> +            goto fail;
>>>> +        }
>>>
>>> Nasty bug! Well found. Two points: the arithmetic here could overflow, so
>>> userspace could supply some large values for offset/words and this check would
>>> not catch it. A fix would be to do the arithmetic in 64-bit. Also, looking at
>>> the code closer, I can't see any bounds checking for relocs either.. That code
>>> (host1x_reloc_copy_from_user) is the other place using host1x_bo_lookup, so we
>>> could e.g. change host1x_bo_lookup to take offset and words parameters and
>>> verify those at the same time.
>>>
>> Good point, unfortunately there are a lot of ways to abuse the staging API on
>> the IOMMU-less Tegra20 right now.
>>
> 
> Indeed, though I think the relocation issue would be a problem on IOMMU-enabled
> systems as well. The Tegra20 and firewall have always been in a bit a bad
> position, as I'm not sure if the firewall was ever used in production during
> Tegra20's prime time, and of course it was quickly abandoned in downstream when
> we got IOMMUs on later chips.
> 

In the IOMMU case some BO will be corrupted in the worst case and it's a
userspace problem, while in the non-IOMMU it will be an arbitrary phys memory.
Anyway it should be better to fail explicitly in any case.

> Thanks for contributing :)

My pleasure ;)

-- 
Dmitry